Security of SecurID In Question Following Hack of RSA
March 30, 2011 Alex Woodie
Following the disclosure by RSA Security over the weekend that its computers had been hacked and information relating to its two-factor authentication software, called SecurID, had been compromised, customers that rely on RSA’s software are wondering what steps they should take next.
In an open letter to RSA customers, RSA’s executive chairman Art Coviello Jr. explained that RSA recently discovered that it was the victim of an “extremely sophisticated cyber attack,” dubbed an Advanced Persistent Threat (APT) attack. The company’s security pros caught the attack as it was in progress, and immediately took steps to harden the RSA systems so it couldn’t happen again, he says.
During a subsequent investigation, RSA discovered that the attack “resulted in certain information being extracted from RSA’s systems,” including information about SecurID, one of the EMC subsidiary’s most popular products.
“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack,” Coviello says.
While Coviello says there is no evidence that any SecurID customers have been compromised as a result of the attack, it is clear from RSA’s statement that it believes the hack and subsequent transfer of sensitive data to cyber criminals could conceivably play some type of supporting role in a compromise of a customer’s system.
When installed, SecurID uses two things–a cryptographic key that lives on some type of token, and a password that lives in somebody’s head–to grant or deny a requesting user access to a system. Even if RSA’s complete database was hacked, and cyber criminals are distributing copies of customers’ crypto keys as we speak–the worst case scenario–that doesn’t automatically mean that SecurID customers will soon become the subject of a “successful direct attack,” as EMC puts it.
RSA isn’t sharing a lot of specific information about the attack, and what it means for SecurID customers. In a post to its Securcare online support system, the company states: “We strongly urge immediate customer attention to this advisory, and we are providing immediate remediation steps for customers to take to strengthen their RSA SecurID implementations.”
This article has been corrected. Powertech‘s IBM i security software does not integrate with RSA’s SecurID product. It previously sold a product that integrated with a different RSA encryption product. IT Jungle regrets the error.